[squid-users] MITM the MITM

Grant Taylor gtaylor at tnetconsulting.net
Thu Jan 6 17:33:17 UTC 2022


On 1/4/22 2:35 AM, Will BMD wrote:
> HTTP proxy limitation
> 
> The system cannot decrypt traffic if an HTTP proxy is positioned 
> between a client and your managed device, and the client and server 
> establish a tunneled TLS/SSL connection using the CONNECT HTTP 
> method. The Handshake Errors undecryptable action determines how the 
> system handles this traffic.

I ... don't know what to make of this.  I would have some questions for 
the vendor (Cisco).

This sort of hints at a technical limitation that the Cisco FTDv /might/ 
have.  It sounds to me like the firewall might be able to pretend to be 
a web server via interception of some sort, but that it can't handle 
HTTP's CONNECT verb which is common to sue on proxies particularly for 
HTTPS connections.

I'm fairly certain that Squid /does/ support bumping such CONNECT requests.

This also hints at /needing/ ~> /requiring/ the downstream client 
devices to /not/ be configured to use the firewall as a proxy.  Because 
if the clients are configured to use the firewall as a proxy, they will 
inherently issue CONNECT requests.

More questions.  This itches like a limitation.

It also /really/ seems to me like Squid /should/ be able to work behind 
this as long as it has the proper public root certificate that is used 
to support the (re)signing.

> Okay, what if we removed the firewall and replaced it with another 
> squid proxy server, where that is also doing ssl_bump. I assume this 
> would work but are there negative implications of doing so?

I would /expect/ that two Squid servers could work in this type of 
configuration.  It's my understanding that Squid has support for parent 
/ child proxy hierarchies that would apply to this.  Even if it did not, 
I think that two simple ssl_bump Squid servers /should/ work with each 
other.  Proper certificate trust configuration not withstanding.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220106/3bdf1d6b/attachment.bin>


More information about the squid-users mailing list